Personal data breach notification is the action that a personal information controller or personal information processor is required to take under the Data Privacy Act of 2012, when a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed occurs. Generally, notification is required only when:
- The personal data involves sensitive personal information or any other information that may be used to enable identity fraud. “Other information” includes, but is not limited to: data about the financial or economic situation of the data subject; usernames, passwords and other login data; biometric data; copies of identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN number; or other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits.
- There is reason to believe that the information may have been acquired by an unauthorized person; and
- The personal information controller or the National Privacy Commission believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
However, where there is uncertainty as to the need for notification, the personal information controller shall take into account, as a primary consideration, the likelihood of harm or negative consequences on the affected data subjects, and how notification, particularly of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred. The personal information controller shall also consider if the personal data reasonably believed to have been compromised involves:
- Information that would likely affect national security, public safety, public order, or public health;
- At least one hundred (100) individuals;
- Information required by applicable laws or rules to be confidential; or
- Personal data of vulnerable groups.
Who should be notified
The law requires the personal information controller to notify:
- the National Privacy Commission and
- the individuals whose personal information have been affected by the breach (data subjects).
When should notification be done
- to the National Privacy Commission
The National Privacy Commission should be notified within seventy-two (72) from the time the personal information controller or processor gains knowledge or arrives at a reasonable belief that a personal data breach has occurred.
Notification may only be delayed to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. The personal information controller need not be absolutely certain of the scope of the breach prior to notification. Its inability to immediately secure or restore integrity to the information and communications system shall not be a ground for any delay in notification, if such delay would be prejudicial to the rights of the data subjects. Delay in notification shall not be excused if it is used to perpetuate fraud or to conceal the personal data breach.
However, delay in the notification is prohibited if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In both instances, the Commission shall be notified within the 72-hour period based on available information. The full report of the personal data breach must be submitted within five (5) days, unless the personal information controller is granted additional time by the National Privacy Commission to comply.
- to the data subjects
The data subjects should be notified within seventy-two (72) hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred. The notification may be made on the basis of available information within the 72-hour period if the personal data breach is likely to give rise to a real risk to the rights and freedoms of data subjects. It shall be undertaken in a manner that would allow data subjects to take the necessary precautions or other measures to protect themselves against the possible effects of the breach. It may be supplemented with additional information at a later stage on the basis of further investigation.
If it is not reasonably possible to notify the data subjects within the prescribed period, the personal information controller shall request the National Privacy Commission for an exemption from the notification requirement, or the postponement of the notification. A personal information controller may be exempted from the notification requirement where the National Privacy Commission determines that such notification would not be in the public interest or in the interest of the affected data subjects. The National Privacy Commission may authorize the postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach, taking into account circumstances provided under the regulations, and other risks posed by the personal data breach.
What the notification should state
- to the National Privacy Commission
The notification, which should be in the form of a written or electronic report, should include, at the very least, the following information:
- Nature of the Breach
- description of how the breach occurred and the vulnerability of the data processing system that allowed the breach;
- a chronology of the events leading up to the loss of control over the personal data;
- approximate number of data subjects or records involved;
- description or nature of the personal data breach;
- description of the likely consequences of the personal data breach; and
- name and contact details of the data protection officer or any other accountable persons.
- Personal Data Possibly Involved
- description of sensitive personal information involved; and
- description of other information involved that may be used to enable identity fraud.
- Measures Taken to Address the Breach
- description of the measures taken or proposed to be taken to address the breach;
- actions being taken to secure or recover the personal data that were compromised;
- actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress to those affected by the incident;
- action being taken to inform the data subjects affected by the incident, or reasons for any delay in the notification;
- the measures being taken to prevent a recurrence of the incident.
- to the data subjects
The notification, which should be done individually through secure means of written or electronic communication, should include, at the very least, the following information:
- nature of the breach;
- personal data possibly involved;
- measures taken to address the breach;
- measures taken to reduce the harm or negative consequences of the breach;
- representative of the personal information controller, including his or her contact details, from whom the data subject can obtain additional information regarding the breach; and
- any assistance to be provided to the affected data subjects.
Copyright 2018. All rights reserved.